25 most common passwords in 2016 and how quickly they can be cracked

Here is the list of Keeper Security’s 25 most common passwords in 2016, as well as how fast two different sites estimate those passwords can be cracked.

It’s nearly that time again when SplashData will release its annual list of worst passwords, but this list of passwords comes from Keeper Security. The company analyzed over 10 million passwords available on the public web before publishing a list of 25 most common passwords of 2016. Keeper pointed a finger of blame at websites for not enforcing password best practices. Even if a site won’t help you determine if a password is decent, then people could use common sense. It’s disheartening to know that 17 percent of people still try to safeguard their accounts with “123456.” And “password” is, of course, still on the list, as well as keyboard patterns such as “qwerty” and “123456789”. I thought it might be interesting to list not only the passwords, but also how quickly they could be cracked; that changes all the time if you think about it, being that when a site is hacked then those dumped passwords get added to cracking lists and can be cracked even quicker. Nevertheless, each password on Keeper’s list is additionally broken down into estimated times to crack the password; one estimate is from Random ize and the other is from BetterBuys.

Keeper’s list of worst passwords in 2016

How long to hack password according to Random ize

Estimated password-cracking time according to BetterBuys

1. 123456

Less than one second

.25 milliseconds

2. 123456789

Less than one second

.25 milliseconds

3. qwerty

Less than one second

.25 milliseconds

4. 12345678

Less than one second

.25 milliseconds

5. 111111

Less than one second

.25 milliseconds

6. 1234567890

3 seconds

.25 milliseconds

7. 1234567

Less than one second

.25 milliseconds

8. password

1 minute, 13 seconds

.25 milliseconds

9. 123123

Less than one second

.25 milliseconds

10. 987654321

Less than one second

.25 milliseconds

11. qwertyuiop

13 hours, 48 minutes

4 months, 4 days, 7 hours, 11 minutes, 46 seconds

12. mynoob

Less than one second

24 seconds

13. 123321

Less than one second

.25 milliseconds

14. 666666

Less than one second

.25 milliseconds

15. 18atcskd2w

14 days, 21 hours

8 years, 9 months, 3 weeks, 6 days, 8 hours, 50 minutes, 57 seconds

16. 7777777

Less than one second

.25 milliseconds

17. 1q2w3e4r

16 minutes, 33 seconds

.25 milliseconds

18. 654321

Less than one second

.25 milliseconds

19. 555555

Less than one second

2 minutes, 46 seconds

20. 3rjs1la7qe

14 days, 21 hours

8 years, 9 months, 3 weeks, 6 days, 8 hours, 50 minutes, 57 seconds

21. google

Less than one second

.25 milliseconds

22. 1q2w3e4r5t

14 days, 21 hours

8 years, 9 months, 3 weeks, 6 days, 8 hours, 50 minutes, 57 seconds

23. 123qwe

Less than one second

.25 milliseconds

24. zxcvbnm

2 seconds

.25 milliseconds

25. 1q2w3e

Less than one second

.25 milliseconds

As for some of the more peculiar random passwords appearing on the list, those particular oddballs showed up on LeakedSource in June 2016 after media company VerticalScope was hacked. The database contained “nearly 45 million records from over 1,100 websites and communities.” Graham Cluley said he suspected that some of the passwords in that leak, such as “18atcskd2w”, “3rjs1la7qe,” and “q0tsrbv488”, were “created by bots, perhaps with the intention of posting spam onto the forums.” It’s worth noting that BetterBuys’ cracking uses a i5-6600K core processor, Intel data benchmarks and the cracking tool John the Ripper. It currently tests how quickly a password could be cracked in 2016, but each year as tech evolves and hackers become more proficient, passwords get weaker. Passwords that took a mere .29 milliseconds in 2015 could be cracked in .25 milliseconds in 2016. “For example,” BetterBuys wrote, “a password that would take over three years to crack in 2000 takes just over a year to crack by 2004. Five years later, in 2009, the cracking time drops to four months. By 2016, the same password could be decoded in just over two months. This demonstrates the importance of changing passwords frequently.” Another example using a password on this list: In 2015, BetterBuys estimated that “qwertyuiop” could be cracked in 4 months, 3 weeks, 3 days, 32 minutes, 10 seconds; in 2016, the time shortened to 4 months, 4 days, 7 hours, 11 minutes, 46 seconds. Since “18atcskd2w” showed up on the list, it probably was added right away and now takes even less time to crack. But to show how the strength of passwords is weakened each year, BetterBuys estimated that in 2015 it would take 1 decade, 2 months, 2 weeks, 3 days, 16 hours, 30 minutes and 24 seconds to crack “18atcskd2w”. In 2016, it would take 8 years, 9 months, 3 weeks, 6 days, 8 hours, 50 minutes, 57 seconds. If you think your 12-character password is secure, then you might want to check out a recent article by Netmux, a cybersecurity firm made up of former veterans, as it goes into details about how to crack 12-character passwords. If you aren’t using a password manager yet, then you should make that one of your 2017 resolutions.